The Wire is a virtual press conference. It contains press releases from credentialed industry organizations and manufacturers. Releases are not reviewed or edited by SVConline editorial staff.
To request credentials, email


AMX Media Statement

AMX by Harman addresses blog post by SEC Consult claiming to discover security vulnerability in AMX devices and systems 1/26/2016 12:32 PM

A number of stories have run today about an independent security firm’s identification of certain potential security vulnerabilities in AMX systems.  Unfortunately, these stories are confusing, and we would like to clarify a number of the issues that have been discussed.

First, we want to clarify the risks and terms being discussed. “Black widow” was an internal name for a legacy diagnostic and maintenance login for customer support of technical issues. Commonly used in legacy systems, it was not “hidden” as suggested, nor did it provide access to customer information. While such a login is useful for diagnostics and maintenance, during our routine security review in the summer of 2015, we determined that it would be prudent to eliminate this feature as part of a comprehensive software update.  We informed our customers and the update was deployed in December 2015.

“1MB@tMaN” was an entirely different internal feature that allowed internal system devices to communicate. It was not an external login nor was it accessible from outside of the product. The “1MB@tMaN” internal system device capability also was not related to nor a replacement for the “Black Widow” diagnostic login.  The only connection was the fact that our software update that eliminated “Black Widow” also provided an update to the “1MB@tMaN” internal capability that eliminated this name.

The firmware update, NX v1.4.65 is applicable to products and systems incorporating the NetLinx NX Control platform and was released on Dec 22, 2015. It is available on AMX.com.  More information on this release can be found athttp://www.amx.com/techcenter/NXSecurityBrief/Default.asp. This issue has been addressed in legacy NI series by Hotfix v. 4.1.419 and is available from AMX Technical Support.

In terms of the names, these were light hearted internal project names that our programmers used with no intended meaning.

We take security very seriously and are continuously testing our own systems and capabilities and developing more sophisticated updates. 

Q&A

Was there ever any potential significant threat?

There are multiple layers of security in these systems and we did not see serious risks due to the issues we identified. In addition, we are not aware of any breaches.

Did this consultant reveal the issue?

While we appreciate the interest of the security consultant that posted the story, AMX had already identified the issues through our routine security review and had been working on the solution internally.

 

 

Past Issues
October 2017

September 2017

August 2017

July 2017

June 2017

May 2017

April 2017

March 2017